|Printable Version of Topic
Click here to view this topic in its original format
|Jcink.com Forums > General Support > spambots?|
|Posted by: abbieleone Jan 4 2017, 12:59 AM|
|it's just started today, but we've had several of http://fromthisvalley.b1.jcink.com/index.php?showtopic=25714&hl= sort of advertisements show up on the site- it seems like spambots, but I'm not even sure if thats possible! Not sure if you can see the link since we've moved the threads to the trashcan.
Thanks in advance <3
|Posted by: SithLordOfSnark Jan 4 2017, 01:34 AM|
|That can't be viewed by anyone that isn't staff of your site, but if it's what I think it is, the same is happening on Caution lately.|
|Posted by: charlotte1912 Jan 4 2017, 02:05 AM|
| We have been getting this the last 24 hours as well. All seem to be from IP's that are from the Russian Federation according to the IPlocation facility.
We have banned the IP's and deleted them to the trash can of the site, but here are two example screenshots of the 7 we have had so far. Some are in Russian and others in English.
Is there anything else we can do? It's happening in the guest friendly area for advertising other RPG sites.
|Posted by: charlotte1912 Jan 4 2017, 08:37 AM|
| Here is one that I didn't delete:
It is now deleted as we have been hit multiple times since this one.
|Posted by: John Jan 4 2017, 08:45 AM|
| Please provide the IP(s) so I can see if it's one specific data center or all spread out and see where they've been as well.
Guest forums tend to be a hotbed for spam in general, so this is always a challenge.
|Posted by: abbieleone Jan 4 2017, 01:03 PM|
| 126.96.36.199 188.8.131.52
Those are the two I have on hand, I'll post the rest when I get home.
|Posted by: John Jan 4 2017, 03:29 PM|
|Two different countries there, hmm, so that's not good. We might have to start scanning every guest IP address during posting to see if they're in a spam database unfortunately. I'd like to not have to do that but if this becomes a problem that will be the only option we've got. Please let me know if you keep getting these.|
|Posted by: charlotte1912 Jan 4 2017, 04:37 PM|
| Here our ours, list as follows: (in order of hit date and time - oldest to newest)
184.108.40.206 ( x2)
EDIT: We did a blanket IP ban on a few of these e.g 79.*.*.* and 141.105.*.* The last one was approx 1:30pm EST
|Posted by: John Jan 4 2017, 05:02 PM|
I have looked up each one of those IPs and their ranges, most of them have been associated with ranges that were caught spamming according to sfs.
So I have walled that group and as well any subgroups (wherever you see a /24 in this list, 255 ip addresses within that same subnet have also been banned) from the system, although I don't think this is going to be super effective at all unless they are just using the same IPs over and over again.
I would NOT do a blanket ban on 79.*.*.* -- this bans way too many valid users.
|Posted by: charlotte1912 Jan 4 2017, 05:34 PM|
|So would blanketing anything with just the first number say 188 and then *.*.* also be too limiting? What would you suggest as an alternative?|
|Posted by: John Jan 4 2017, 06:38 PM|
| Block /24's or: example 2.92.25.*
At maximum, block 2.92.*.*
This may be something we have to address at a higher level though with checking every guest post's IP, cat & mouse of blocking IPs doesn't sound like it will be effective here.
|Posted by: charlotte1912 Jan 4 2017, 10:08 PM|
| And one more for the list:
They are quite persistent :/
|Posted by: John Jan 4 2017, 10:11 PM|
| That's a fresh one apparently.
|Posted by: charlotte1912 Jan 7 2017, 12:47 AM|
| One more for the collection. At least it is less frequent now
|Posted by: John Jan 7 2017, 05:03 PM|
|Good to hear!|
|Posted by: charlotte1912 Jan 7 2017, 08:06 PM|
| The latest one was such a lovely message.. lol
Seems to have Dunald somewhere in the name of its hits.
|Posted by: ajill Jan 9 2017, 04:14 AM|
| I have had the same happening lately John, here are the IP's i got:
I have banned those from my board but, they seem to just post wherever they are allowed and sadly (like wanted ads, face claims) i cannot close those for guests to post so, please help?
|Posted by: John Jan 9 2017, 10:19 AM|
| I understand your frustration. I will look into adding a scan on all incoming IPs posting to guest forums as I am seeing more of this than just on your board(s). However it also isn't super widespread, either, at least not yet. I've walled those IP ranges for now as well, all /24s
Unfortunately the IP addresses used are also obviously very random. Spammers love guest forums as I said :/ I realize that many utilize the guest feature but it's always the biggest risk for spam, and the hardest to secure without making it a huge inconvenience to post.
Only about half of those IPs were listed in a spam database somewhere, so it won't be a silver bullet.
|Posted by: John Jan 11 2017, 07:06 PM|
| I implemented scanning of guest IP addresses. Based on the data I've collected in the last 24 hours, about 2,000 attempts to spam have been blocked by the checking.
Have any of you had spam similar to the stuff reported in the last 24 hours?
|Posted by: jess the hufflepuff Jan 13 2017, 10:05 PM|
| i've just recently started getting some spambots too!!
here's another ip for you
i'm a little confused, how are they getting past the capchas or are they actual people posting these?
|Posted by: John Jan 13 2017, 10:11 PM|
| captchas have been broken for years. none of them are 100%, they try and try until it is broken, even at a 30% success rate. actual people are not posting these.
did all of those IPs appear today or is that from the past? the last two are being actively blocked. I counted 300 blocked attempts for the third IP, and 10 for the second. the first was unlisted for some reason, unfortunately, I just listed it now.
so far im seeing pretty good success with the blacklist checking. over 6,000 attempts blocked now.
|Posted by: jess the hufflepuff Jan 13 2017, 11:08 PM|
| oooh had no idea!
220.127.116.11 was from the 11th of jan
18.104.22.168 [i didn't add this to the list, just noticed it] was from the 12th of jan
22.214.171.124 was from today
and i can't seem to find the 92 ip anymore
126.96.36.199 here's another one from the 10th! which is when they started, so i haven't had as much as the others that have been posting, but they seem to have only just started
i'll keep you updated if i get more
|Posted by: clicker Jan 14 2017, 07:44 PM|
| IP: [ 188.8.131.52 ]
IP: [ 184.108.40.206 ]
these were maybe within the last couple of hours on shine!
|Posted by: John Jan 14 2017, 07:46 PM|
| Looks like those are very fresh.
This doesn't look like it's going to stop any time soon, so moderation is going to be a must. The only thing we can do is try to change the captcha to something else, maybe add something that will confuse the bots for a while.
I'm seeing a much better situation though since I enabled the scanning of each guest IP.
|Posted by: jess the hufflepuff Jan 15 2017, 03:55 PM|
| these are all from the last like 10 or so hours!
they both posted 2 different advertisements, as well!
|Posted by: John Jan 15 2017, 04:01 PM|
| Those are fresh too, so I will add them, but this is becoming a game of cat & mouse.
IP banning specifically will not be effective so going forward I won't be banning anymore individual IPs unless I identify them to be highly toxic.
To date we've had about 10k attempts blocked by the scanning but it's missing the freshest of spammer IPs
|Posted by: clicker Jan 15 2017, 06:21 PM|
| IP: [ 220.127.116.11 ]
thanks for taking the time to try & look into this! in the meantime, just deleting the posts really isn't that excess. :^ )
|Posted by: serenity Jan 15 2017, 07:15 PM|
| caution and shine are getting quite a bit
ones from caution:
ones from shine:
while yes topics can be purged and/or moved, it's getting tedious and disabling guest posting isn't realistic for the ads area (though for some reason shine is getting all of them in the site necessities -> application templates area). i just hope this stops soon~
|Posted by: John Jan 15 2017, 07:36 PM|
| Are those all of them overall or just from today? many of them are listed and being already actively blocked now as of Jan 11th when I added the scanning.
so far caution has about ~200 blocked from scanning and so does shine from my logs. about equal there with the # of attempts.
but some of them, for example, are getting in because of being very new, ex:
just listed a couple hours ago unfortunately so it got you before it was listed.
in the next few days I will try adding a new line to the form to see if that helps. something basic like "Type the site's name here" or "What is 1+1" to see if I can at least temporarily throw off the bots.
|Posted by: serenity Jan 15 2017, 07:42 PM|
all the caution ones are from the 3rd until today, and the shine ones are only from the past 2-5 days up until today (aside from two if the IPs that were a little bit before the spam bots went crazy).
i'm so glad you're gonna add something. hopefully it'll successfully throw them off and then it'll stop. i'll keep my fingers crossed! and thank you so much for being such an amazing hoster. the fact you're so on top of things and so fast is really appreciated.
|Posted by: John Jan 15 2017, 07:44 PM|
| Ah, ok, that's good to know then.
It's only been about the past 4 days as it is since I started actively scanning each guest's IP to see if it's in SFS. So you should be happy to know that most of all the ones you've listed there are covered. Only the very newer listings, depending on when they hit, are getting to people now.
At the end of the week I'm going to compile all of the IPs collected as well in my log with number of attempts and firewall them directly based on their aggression type. Then the week after study the list again and see if I'm noticing a larger, smaller, or list of about the same size.
|Posted by: jess the hufflepuff Jan 17 2017, 04:33 PM|
| Here's a new list if you're still collecting!
All from today, so they're probably new ~
|Posted by: John Jan 17 2017, 05:13 PM|
|Yes they are indeed. They've been already added to sfs I think I didn't check all of them. I'm not collecting IPs from individual postings anymore though as I've got my own logger but I appreciate the lists anyway!|
|Posted by: Delphi Jan 17 2017, 05:57 PM|
| These are from the last couple hours, I know you're not actively collecting but you did say you appreciated the lists, so I figured we'd just report.
Removing isn't bad, but these things are crazy, these few IP addresses posted approximately 12-15 posts of spam in the span of maybe 20 minutes?
Also to note: We are only seeing these excessive bot posts in our "Advertise" section and not our "guest Friendly" board even though they both have the same criteria to post (the security key).
not sure if that's helpful or not, but figured it was interesting since we haven't seen a single piece of spam in our guest friendly area.
|Posted by: PANIC! ITS LAUZ Jan 17 2017, 08:24 PM|
| well regardless of whether or not they're helpful, or you're logging them yourself, figured i'd just post all the things i gathered from SHINE anyway. some of these were even posted in forums that only members can see? so it hasn't just been guest friendly boards either. all from the last few days.
|Posted by: xo Lola Jan 17 2017, 09:50 PM|
One of the spambots .... registered ???? to post ???? their garbage ???
this is a screenshot from Caution, the post has since been deleted but
how did it get past the captcha?
|Posted by: John Jan 17 2017, 09:50 PM|
| Here is a list I have just produced after about a week's worth of logging that I started on the 11th. I have parsed and compiled them.
These have all been firewalled directly now and I'll be collecting a new list. Should you have been hit in the past by any of these IPs above you will no longer be hit by them as of today. This list comes from 15,000 failed attempts because of being spam listed. In addition some subnets that I have elected to block are not shown there as well and are taken care of.
|Posted by: John Jan 17 2017, 09:54 PM|
we don't use a particularly strong captcha to begin with, because they are very annoying and it hasn't been necessary, perhaps until now. I may try reCaptcha because they've got the little checkbox feature now, but http://news.softpedia.com/news/google-recaptcha-cracked-in-new-automated-attack-502677.shtml either.
I'm exploring new options even if they will temporarily throw them off for a while.
|Posted by: jess the hufflepuff Jan 18 2017, 04:39 PM|
| hi me again!
just one this time:
|Posted by: page thirteen. Jan 18 2017, 08:21 PM|
| I've got IP addresses from two sites that have been hit in the past two days - I've checked and they're not on the list above, so I hope this is helpful!
|Posted by: John Jan 18 2017, 10:38 PM|
| I have installed recaptcha checkbox as a trial.
I am logging both failed attempts and successful attempts, so we will see what the results are.
It is significantly more annoying though because the more you post, the more it will force you to do activities such as pick out what images are similar, etc but there is nothing I can do about that for the moment.
|Posted by: John Jan 19 2017, 12:31 PM|
| Seeing really good success in the last 12 hours, here is just a clip of everything that was blocked by reCaptcha
I'm also keeping track of guest captcha success, and at this time out of the hundreds of guest postings I'm not seeing a single one that is spam.
DNSBLs are also updating more frequently.
I will probably build reCaptcha into the registration system next if this continues to work out.
|Posted by: John Jan 20 2017, 02:23 PM|
| Seeing -really- good results here with everything I've done.
How about everyone else? Anything at all yesterday or today?
|Posted by: microneppy Jan 22 2017, 08:39 AM|
| I think there are two ways it could be prevented:
* Auto IP-ban any user that directly hits the register page on their first visit to the site. Spammers tend to hit straight onto the register page with either no referrer or a junk referrer from a spam site, I've seen a few hit the index beforehand but they rarely do so. Real users 99% of the time see the index page or a thread before registering.
* Implement the StopForumSpam API into the register and login page, and IP ban any matches.
I've dealt with these bots before on XMB and MyBB boards, by the way. They use some kind of tool like XRumer or Scrapebox to spam from multiple IPs from a VPS.
As well, forum admins, implement a good security question! Something like "What is 4 + 18 -7" would be easily solvable, whereas asking questions about the forum itself would be less obvious, but spammers would be destroyed.
|Posted by: John Jan 22 2017, 12:08 PM|
Then these are the exception. They're not going for the register page at all in my logs, they hit the index, then the bot scans for guest forums. I think they look for keywords such as "Advertise" and wiggle their way in. Their referrers are clean too. We already do quite a bit on the backend to check for patterns as well that I won't mention here in case these guys are reading this board.
Already being done for years, I love SFS and they do a great job. We can't use their API specifically because of too many requests but their database is dl'd and run on one of my servers for our high-use only.
We have always used SFS for the registration page. Login page is too aggressive. But the focus has been on guests only -- now we are scanning every guest IP and that's going well too.
The problem with SFS now though, is that it's very effective... but not in this instance. SFS is missing -many- of these IP addresses, just by a few hours in some cases. These guys are getting fresh addresses and dumping them very quickly.
Xrumer has been a pain in my ass for... years, but I've been able to thwart them with my own funky captcha and SFS. It looks like that will no longer be an option
I'm thinking they did yet another revision to the software. But these guys cannot get past this reCaptcha at the security level I have set now, and thankfully google had made it possible to implement reCaptcha a lot easier in a service like ours with tons of subdomains and domains, so it couldn't have happened at a better time. I never liked reCaptcha because it was not that great and the "captchas" could be purchased for pennies on the dollar. Things have changed quite a bit...
They can't do this since it isn't an option on our service, BUT, since the current captcha is finally dead I will be replacing it with this option as I know exactly what you mean.
|Posted by: jess the hufflepuff Jan 22 2017, 06:01 PM|
|update: everything seems 100% thank you so much!!|
|Posted by: John Jan 23 2017, 09:31 PM|
| Good to hear. My logs basically confirm the same thing. There is near 100% success rate in keeping these guys out. In fact I think so far it *is* 100% and only a couple of manual spammers got in, according to my logs.
So we're in extremely good shape, they are trying super hard to post garbage but failing. I have a reCaptcha failure log thousands and thousands of lines long with "Из окон отеля Мардан Турция всегда идеал&" and "Жители Турции – общество и этикет" for the topic titles - whatever those mean, but definitely spam content.
I've hooked up reCaptcha to the registration page as well so they cannot decide to strike that page.
Meanwhile, SFS is still blocking tons of them before they even reach the page.
|Posted by: serenity Jan 12 2018, 04:54 AM|
| getting spam again, most originating from the first IP on this list, but thought i'd give a heads up.
here are some IPs (the first one spammed three separate times after we thought it was banned but apparently not):
|Posted by: John Jan 12 2018, 12:33 PM|
| Those two should not be a problem anymore. I refreshed and rebuilt the SFS database also.
18.104.22.168 looks like an "essay" spammer of some type. I'm tempted to just block that whole ASN.
Doing some research looks like reCaptcha v2 was cracked late this year:
Someone created this tool to solve the new captcha through the audio function, great:
Some of these spammers are willing to pay for the voice recognition services to get past the captcha. I'll try to find a way to disable the audio option and see if we have greater success, but I'm not seeing it anywhere.
|Posted by: serenity Jan 13 2018, 10:11 AM|
| thanks so much john for working so hard to get this handled. you are awesome! here's hoping you can figure out a way to disable the audio, sucks that it got cracked. it's also ironic that exactly a year later they're back, lol.
here are some more IPs:
|Posted by: John Jan 14 2018, 12:36 PM|
| I have looked and thus far there does not seem to be a way to disable the audio. Many have asked for this but no response.
We will not have a captcha that works as effectively as before until this option is added by Google, board owners will need to be vigilant in clearing spam from guest enabled forums until then.
I recommend wildcard blocking repeat /16s that you see, ex 95.79.*.*